View
3
Download
0
Category
Preview:
Citation preview
Cisco Connect 2019Serbia, 19th March 2019
Local knowledge.
Cisco Connect 2019 Security
COM-4T DOO Belgrade
presenter: Branislav Ostojić
✕ ✕ ✓ ✓ ✕ ✕
✕ ✓ ✓ ✓ ✓ ✕
✓ ✕ ✓ ✓ ✓ ✓Trusted Asset
Trusted User
Partners
Tru
ste
d U
ser
Part
ners
Clo
ud A
pp A
Clo
ud A
pp B
Serv
er
A
Serv
er
B
Cloud
On Prem
Tru
ste
d A
pp /
Serv
ices
Non-T
ruste
d A
pp /
Serv
ices
Improved Visibility and DecisionSoftware-Defined Segmentation,
Service Access & EntitlementLocation-Free App/Service
Access
Vulnerability
Threats
Posture
Behavior
Time
Location
User-Groups Device-type
CISCO IDENTITY SERVICES ENGINE
Connecting trusted users and devices to trusted services
Customer
GUEST
CORPORATE
BYOD
WIRELESS
Use Case
Starts with Wireless
Non-disruptive due to SSIDs
WIRED
Control wired access
802.1X / MAB (with Profiling)
POSTURE
See Apps & HW inventory
Enforce system compliancy
Segmentation
Use SGTs for segmentation
Enforce Group based policies
RTC
Integrate with eco-system partners
Contain threats
COMPLIANCE | PCI, HIPAA, SOX, Financial and other regulations
VISIBILITY | Users, Devices, Location, Applications, Threats, Vulnerabilities
CONTROL | Authorized network access, Segmentation, Threat Containment
Not a standard or recommended approach | Each use case may be the end goal
Device Admin
Threat Control
Segmentation
BYOD Access
Guest Access
Access Control
Asset VisibilityCisco ISE can reach deep into the network to deliver superior visibility into who and what is accessing resources.
Consistent access control across wired, wireless and VPN Networks. 802.1X, MAC, Web Authentication and Easy connect for admission control.
Fully customizable branded mobile and desktop guest portals, with dynamic visual workflows to easily manage guest user experience.
Simplified BYOD management with built-in CA and 3rd party MDM integration for on boarding and self-service of personal mobile devices
Topology independent Software-defined segmentation policy to contain network threats.
Protection against threats across the attack continuum, before, during and after an attack. Reduce time-to-detection from days to hours.
Cisco ISE supports device administration using the TACACS+ security protocol to control and audit the configuration of network devices
Context Exchange Context sharing with partner eco-system to improve their overall efficacy and accelerate time to containment of network threats.
AnyConnect Identity Extensions (ACIDex) | Device Sensor (DS)
Cisco ISE
The profiling service in Cisco ISE identifies the devices that connect to your network
ACIDex
Endpoints send
interesting
data, that
reveal their
device identity
DS
DSFeed Service
(Online/Offline)
1 million
# of supported Guest accounts Guest account notification
options
API
Manage guest accounts via REST
EMAIL PRINT SMS
Hotspot Self Registered Sponsored Guest Access
Immediate, un-credentialed Internet access
Self-registration by guests, Sponsors may approve access
Authorized sponsors create account and share credentials
The 3 types of guest access
Portal language customization
Social Media Login support
Facebook Facebook
Simple BYOD(Base License)
Full BYOD(Base + Plus License)
• Guest type ’internet only’ access to personal device Or
• Password based access to BYOD SSID, limited access
• Full automation of BYOD process – Device registration, Native supplicant configuration, Certificate installation, manage.
ISE internal CA for BYOD certificates
Access based on MDM policy
Single / Dual SSID provisioning
Native supplicant & cert provisioning
EMM integrationsDevice Support
Devic
es
Resources
✕ ✓ ✕ ✓ ✓ ✓
✓ ✓ ✕ ✓ ✕ ✕
✕ ✓ ✓ ✕ ✕ ✕
PUBLIC
CORPORATE
iDevice
Android
MAC macOS
Windows
ChromeOS
MDM Policy Checks
Device registration status
Device compliance status
Disk encryption status
Pin lock status
Jailbreak status
Manufacturer
Model
IMEI
Serial number
OS version
Phone number
Posture Compliance assessment for Mobile devices
1. Register with ISE 2. Internet Access
3. Register with MDM 5. Allow Corp access
Cisco ISE
MDM
Internet
Corporate
4. Comply MDM Policy
Personal Device
GOOD SAPAbsolute Software IBM AirWatch
Tangoe MobileIron GloboJamf
softwareSymantec MaaS360
Posture
Remediation Actions
Anti-Malware Condition
Anti-Spyware Condition
Anti-Virus Condition
File Remediations
Launch Program Remediations
Link Remediations
Patch Management Remediations
USB Remediations
Window Server Update Server
Windows Update Remediations
Posture defines the state of compliance with the company’s security policy
Posture Flow
Authenticate User/DevicePosture: Unknown/Non-Compliant ?
QuarantineLimited Access: VLAN/dACL/SGTs
Posture AssesmentCheck Hotfix, AV, Pin lock, USB Device, etc.
RemediationWSUS, Launch App, Scripts, MDM, etc.
Authorization ChangeFull Access – VLAN/dACL/SGTs.
Antivirus Update
Anti-Virus?
Posture
Anti-Malware Condition
Anti-Spyware Condition
Anti-Virus Condition
Application Condition
Compound Condition
Disk Encryption Condition
File Condition
Patch Management Condition
Registry Condition
Service Condition
USB Condition
Traditional Segmentation
BYOD
BYODVLAN
Supplier
GuestVLAN
VoiceVLAN
Voice
DataVLAN
Employee
Access Layer
EnterpriseBackbone
Aggregation Layer
Non-Compliant
QuarantineVLAN
VLAN
Address
DHCP Scope
Redundancy
Routing
Static ACL
VACL
Security Policy based on TopologyHigh cost and complex maintenance
Employee Tag
Supplier Tag
Non-Compliant Tag
VoiceVLAN
Voice
DataVLAN
Employee Supplier BYODNon-Compliant
Access Layer
DC Firewall / Switch
DC Servers
EnterpriseBackbone ISE
Group Based Policy
Use existing topology and automate security policy to reduce OpEx
No VLAN Change
No Topology Change
Central Policy Provisioning
Micro/Macro Segmentation
Policy
Directory Services
Vulnerability Scanners
System managers
Threat Intelligence
Mobility Services Engine
Mobile Device Managers
ENDPOINTS
CISCO ISE
Visibility and Access ControlISE builds context and applies access control restrictions to users and devices
Context Reuseby eco-system partners for analysis & control
Scalable Group
Who
What
When
Where
How
Posture
Threat
Vulnerability
STEALTHWATCH
FIREPOWER SERVICES
DNAC
+ 3rd PARTY PARTNERS
• pxGrid
• REST API
• Syslog
- Threat events
- CVSS
- IOC
- Vulnerability assessments
- Threat notifications
AMP Qualys
Cisco ISE
Endpoints
Cisco ISE protects your
network from data breaches
by segmenting compromised
and vulnerable endpoints for
remediation.
Compliments PostureVulnerability data tells endpoint’s posture from the outside
Expanded controldriven by threat intelligence and vulnerability assessment data
Faster responsewith automated, real-time policy updates based on vulnerability data and threat metrics
Who
What
When
Where
How
Posture
Threat
Vulnerability
Create ISE authorization policies based on the threat and vulnerability attributes
Network Access Policy
Common Vulnerability Scoring System (CVSS) | Indicators of Compromise (IOC)
Employee
Employee
Supplier
Quarantine
SharedServer
Server
High RiskSegment
Internet
StealthWatchFirePower
or 3rd party AppSuch as Splunk
Event: XYZ
Source IP: 10.4.51.5
Role: Supplier
Response: Quarantine
ISE
Change Authorization
Quarantine
Network Fabric
Cisco DNA Center
Cisco DNA™ Center: Simple workflows
Design Provision
PolicyAssurance
Software-Defined Access
APIC-EMNetwork data
platform
Identity Services Engine
Wireless access points
Wireless LAN controllers
SwitchesRouters
Campus Fabric
Authentication
Authorization
Policies
Fabric
ManagementPolicy
Authoring
Workflows
Groups and
Policies
pxGridREST APIs
Cisco Identity Services Engine
Cisco DNA Center
Establishuser trustwith MFA
of breaches leverage stolen or weak passwords
81%
Source: Verizon 2018 Data Breach Investigations Report
● Compromised credentials
is a major security risk
● Cumbersome tokens and
one-time passwords;
not user friendly
REST
APIS
WEB SDK
RADIUS
SAML
OIDC
CustomVPN RA SSO
RRAS
Multicloud Email/MSFT On-Prem
Start Here Then Expand
Automatic Enrollment
Admins can import
users from existing
Azure, LDAP and
AD directories
Self Enrollment
Users can self-enroll
into Duo in less than
1 minute
Import Users
Provision users using
Duo’s REST API or
add users manual
one at a time or
through CSV
● Users can manage their own 2FA
devices during login.
● Add, Remove and Configure
Devices
● Reduce TCO by enabling the user to
easily manage their own device.
Learn more about Device Management
Assess the healthand security postureof any device
of vulnerabilities exploited
will be ones known by security
team for at least one year
(through 2021)
99%
Source: Gartner, Dale Gardner, 2018 Security Summit
● Attackers exploit known
vulnerabilities
● Patching devices (especially user
owned) is complex
● End users continue to access data
from potentially vulnerable devices
● Accessing critical data from
vulnerable devices can be risky
Duo’s Trusted Endpoints
integrates with endpoint
management systems to
detect if the device is
managed by your IT.
Security
Posture Visibility
Endpoint
Management Status
Duo’s Unified Endpoint
Visibility inspects the device at
the time of access without
installing any endpoint agents.
Corp managed asset status Biometrics (Touch/Face) status Screen lock status OS condition (tampered) status Encryption status Platform type Device OS type Device OS version Device owner Duo Mobile version
Corp managed asset status* Device owner OS type OS versions Browser type Browser versions Flash & Java plugins versions OS, browser and plugins status
Mobile Devices Laptops / Desktops
* Additional conditions can be assumed for policy by the corp managed asset status such as disk encryption, anti-virus, etc.
iOS Android Windows Mac ChromeOS
Corporate owned
& managed
Employee owned &
corporate managed
Employee owned &
unmanaged (BYO)
Reliable inventory tracking and reporting of endpoints –>
fundamental requirement for compliance and risk management programs
Native: Microsoft AD, Ivanti (Landesk)
Script based: Symantec Altiris, Chef, Microsoft SCCM, AirWatch, etc.
Alternative: Duo has a generic deployment
Mobile Windows MacOS
Duo: Duo Mobile app can be used to trust mobile devices. (Great for customers w/o MDM)
Native: AirWatch, MobileIron, Google G Suite, Sophos
Native: Jamf
Script based: Symantec Altiris, Chef, Microsoft SCCM, AirWatch, etc.
Alternative: Duo has a generic deployment
Admins can
monitor whether
the devices used
are managed or not.
End users get just-in-time notification
about
out-of-date OS, browsers, Flash and
Java
If users do not update by a certain
day,
the endpoints are blocked
https://demo.duo.com/remediation
Manage and controlwho is allowed toaccess applications
● Customizable security policies
● Global, App & Group Level
controls
● Establishes a level of trust based
on users and devices
https://demo.duo.com/access-control
● Policies are centrally-managed in the Duo Admin panel
Map compliance / security requirements to Duo’s policies. Examples:
○ Block out-of-date and vulnerable devices from accessing any app
○ Step-up authentication for users coming from unknown IP
○ Step-down authentication for users coming from known geolocation
Policies can apply
○ Global → all users and applications
○ Application → only to specific application
○ Group (users) → only to specific group of users
Duo supports hundreds of apps out of the box
Duo Cloud Platform
Web/SSH(Duo Network
Gateway)
Multi-Factor Authentication
VPN, Virtual
Desktop, etc.
Duo Integrated
(azure-ad, rdp,
ssh, Windows,
app, api, etc)
Access Device
MFA Device
or
Cloud Apps
Device Policy Check
Device Visibility
User Policy
User Management
MFAManagement
Primary Auth(AD, Azure-AD, LDAP, etc.)
User
Duo Access
Gateway[SAML/SSO]
Duo Auth
Proxy[Radius/LDAP]
Public Internet
Security Groups
Tier 1
10.0.0.1-4
*.domain.local
192.0.0.1/24
Tier 2
Tier 3
DNG(443)
SSH
Trusted User
Trusted Device
Use Duo Beyond to secure access to internal networks and the public cloud.
• Duo Push
• Mobile Passcode
• Phone, SMS
• HOTP Token
• U2F/WebAuthN• Bypass
Core service and
policy engine is
always in the
cloud
Preferred Optional Limited
Use Duo Access Gateway (SAML) for ASA. Best user experience + Trusted Endpoints soon
Use Duo Auth Proxy (Radius). User receives automatic push. Consider for older versions and FTD.
Use LDAPS. No proxy required. End user experience requires 2nd password field, Device Trust only supported for web based sslvpn.
Requirements:1. A SAML gateway such as Duo Access Gateway (DAG) for SSO. Read
more here.2. ASA version of 9.7.1.24, 9.8.2.28, 9.9.2.1 or higher of each release3. AnyConnect 4.6 or later.
Requirements
1. Cisco ASA 8.3 or later
2. Cisco FTD 6.3 or later
3. Duo Authproxy
Learn more about AnyConnect RADIUS integration
Existing SSO/IdP
AD or SAML Directory
Duo Access Gateway
● Easily access all cloud applications from a single dashboard
● Enable consistent security controls across cloud applications
● Secure every cloud application
Duo SSO for Cloud apps
DAG Authentication SourcesThe DAG is an IdP that verifies authentication requests against an on-premises or cloud identity database.
Cloud Identity ProvidersThe DAG can be configured to use a SAML or OIDC for cloud identities through 3rd party providers.
• Bitium• CA SSO• Radiant Logic• F5• Juniper• Oracle• Many more!
• Shibboleth• Microsoft AD FS• Microsoft Azure
AD• G Suite (Google)• Okta• OneLogin• SecureAuth
• Microsoft Azure• G Suite (Google)
• Microsoft
AD
• Open LDAP
• SAML IdP
• OpenID
Connect
SAML Providers
OIDC Providers
CloudOn-premises
O365, RDP/Windows Logon, and Azure AD use cases
On-premises
Directory
On-premises
Directory
3rd Party
Identity
Provider
Duo Access
Gateway
Native SSO and
IdP Support
Native Azure-AD
Conditional Access
Integration with DAG/Duo SSO
Integration with ADFS Integration with Azure AD
Import users directly into Duo from
Azure without any on-premises software
Import users via LDAP from AD or
OpenLDAP directories. Requires
installation of Duo Authentication proxy
Learn more about directory sync
Executive on a Plane Salesperson at Hotel Vendor at Customer
Users need to authenticate with MFA into their machines before they can access internet / secure portal
Duo Mobile Passcode● Use the smartphone you own● Enter one-time passcode
Universal Second Factor (U2F)● Yubico or other security keys● Just tap the key
● Deploy a Duo Network Gateway in the DMZ using Docker, with both “public” and “internal” access.
● Configure your SAML IdP for primary auth.
● Configure DNG with Duo for secondary auth.
● Configure a web application on the DNG for your protected “internal” application.
● Create public DNS entries for your protected internal web apps to point to the DNG’s public interface.
● Users access the “internal” app using their browser.
https://demo.duo.com/ssh-remote-access
Demo: SSH Access with Duo Beyond
CONFIDENTIAL INFORMATION PROPERTY OF DUO SECURITY, INC.
Duo Traditional 2FADeployment Minimal cost
Duo doesn’t require or charge for professional services
High cost Professional installation required
Integrations Unlimited Support VPNs, RDP, cloud apps, more
Pay per integration May require custom connectors
Token deployment No tokens required Use Duo Mobile on smartphones
Several months Token distribution and shipping
Token replacement Lost, stolen or broken replacements
No token managementMost users prefer Duo Mobile
5-10% lost per month Tokens can also expire or malfunction
On-going maintenance Included Support included
Additional cost Support sold separately
Patches & updates For 2FA appliance
AutomatedUpdated by Duo in the cloud
ManualRequires extensive IT admin support
Help desk calls Average per user per year
1 Easy and intuitive for end-users
4 Clunky and confusing end-user experience
New user enrollment Time per user
2-3 min End-users can self-enroll
1 hour Requires end-user training
Time to authenticate 2 seconds Tap to approve Duo Push request
15-30 seconds Time to type OTP
Device visibility PCs, Macs, & mobile devices, BYOD
Included Requires additional products
Role-based user policies Security policies for various user groups
IncludedRequire more or less security based on user group
Requires additional products “Adaptive auth” needed
Popunite anketu, preuzmite poklon na pultu „Informacije” i učestvujte u izvlačenju nagrada na
zatvaranju konferencije
Recommended